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Abstract — In this work, message authentication over noisy 
channels is studied. The model developed in this paper is the 
authentication theory counterpart of Wyner's wiretap channel 
model. Two types of opponent attacks, namely impersonation 
attacks and substitution attacks, are investigated for both single 
message and multiple message authentication scenarios. For each 
scenario, information theoretic lower and upper bounds on the 
opponent's success probability are derived. Remarkably, in both 
scenarios, lower and upper bounds are shown to match, and 
hence the fundamental limit of message authentication over 
noisy channels is fully characterized. The opponent's success 
probability is further shown to be smaller than that derived in the 
classic authentication model in which the channel is assumed to 
be noiseless. These results rely on a proposed novel authentication 
scheme in which key information is used to provide simultaneous 
protection again both types of attacks. 

I. Introduction 

There are two fundamental primitives for any security 
systems: 1) secure transmission, to ensure that the message 
is received only by the legitimate receiver; 2) authentication, 
to ensure that the received message truly comes from the 
acclaimed transmitter. 

Secure transmission has been investigated under two dif- 
ferent models. In the model developed by Shannon [1], 
transmissions are assumed to be noiseless; and the source 
and intended destination use a common secret key K to 
encrypt and decrypt the message M, Transmission is said 
to be perfectly secure, if the signal received at the opponent 
does not provide it with any information about M. Shannon 
proved that one needs H(K) > H(M) to achieve perfect 
security. Taking transmission noise into consideration, Wyner 
developed the wiretap channel [2], in which the transmitter 
exploits the two different noise processes at the receiver and 
opponent to transmit information securely. Csiszar and Korner 
[3] generalized this model and characterized the capacity 
of the Discrete Memoryless Channel (DMC) with security 
constraints. 

Authentication theory with a noiseless transmission model, 
which is shown in Figure Q] was developed by Simmons [4]. 
In this model, the source S and the receiver R share a secret 
key K, which is used to identify the transmitter. When the 
transmitter intends to send message M, it transmits W — 
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Fig. 1. The authentication channel. 



f(K, M) over a noiseless public channel, where / is the 
encoding function at the source. On receiving W, which 
might be different from W due to various attacks from the 
opponent O, the receiver needs to judge whether the message 
comes from the legitimate transmitter or not. If the receiver 
accepts the message (i.e., the receiver believes that the signal 
is authentic), the receiver then gets an estimate of the source 
message M ; otherwise, it rejects the message. The opponent 
gets a perfect copy of W and can perform the following 
two types of attacks. The first one is called an impersonation 
attack, in which the opponent sends W to the destination 
before the source sends anything. This attack is successful if 
W is accepted by the receiver as authentic. We denote the 
success probability of this attack by Pj. The second attack is 
called a substitution attack, in which after receiving W, the 
opponent modifies it to W and sends it to the destination. The 
attack is successful if the receiver accepts W and decodes this 
into another source state. We denote the success probability 
of this attack by Ps- Obviously, the opponent will choose the 
attack that has higher success probability. Hence the success 
probability Pr> of the opponent (i.e., the cheating probability) 
is Pd = max{Pj, Ps}- 

Lower bounds on Pj and Ps have been developed in [4] 
and recovered by Maurer [5] from a hypothesis testing point 
of view. In particular, it was shown that Pi > 2- I{K > w "> and 
Ps > 2~ H W W \ One can easily identify a tradeoff between 
Pj and Ps. To minimize the probability of a successful imper- 
sonation attack, the transmitted ciphertext, from the legitimate 
source, must contain a sufficient amount of information about 
the secret key in order to convince the legitimate receiver 
that the transmitted message comes from the source. That 



is I{K; W) should be large, which unfortunately decreases 
H(K\W). Hence, the attacker can take advantage of the 
leaked information over its noiseless channel (contained in 
W) to increase the probability of a successful substitution 
attack. In fact, the strategy that minimizes the lower bound 
on Po — max{P/,Ps} is to use half of the key information 
to protect against the impersonation attack and the other half of 
the key information to protect against the substitution attack, 
which gives Pjj > 2~ H ( K ^ 2 . These bounds are of a negative 
nature, since they only give lower bounds for the cheating 
probability. There is no upper-bound available in the literature, 
partly due to the fact that usual bounding techniques such 
as Jensen's inequality and the log-sum inequality are not 
applicable here. We will elaborate on this point in the sequel. 

Simmons's model was developed under a noiseless trans- 
mission model. However, since physical transmission systems 
are noisy, common practice is to use channel coding to convert 
the noisy channel into a noiseless one, and then to design 
an authentication code on top of the channel coding. Liu 
and Boncelet [6], [7] also considered the situation in which 
the channel coding is not perfect, and hence there are some 
residual errors induced by the channel. The conclusion of these 
papers is that channel noise is detrimental to authentication, 
since it will cause the receiver to reject authentic messages 
from the transmitter. 

In this paper, we take an alternative view of the transmission 
noise and design the channel coding and authentication scheme 
jointly. We show that by doing so, one can exploit the noise 
to lower the cheating probability of the opponent. More 
specifically, we derive both a lower bound and an upper-bound 
on the cheating probabilities of authentication schemes over 
noisy channels. We show that these two bounds coincide, and 
are smaller than the lower-bound on the cheating probability 
when the channel is assumed to be noiseless. In particular, 
we show that Po = 2~ H ^ K \ thus all the key information 
can be used to protect against the substitution attack and 
the impersonation attack simultaneously. We also study the 
authentication of multiple messages using the same key K, 
and show that all the key information can be used to protect 
against all the attacks simultaneously. 

The rest of the paper is organized as follows. In Section Hfl 
we introduce the model. In Section [TTTJ we discuss the single 
message authentication scenario. We then analyze the authen- 
tication of multiple message using a same key in Section HVl 
Finally, in Section IVl we offer some conclusions. 

II. Model 

Throughout this paper, upper-case letters (e.g., X) denote 
random variables, lower-case letters (e.g., x) denote realiza- 
tions of the corresponding random variables, and calligraphic 
letters (e.g, X) denote finite alphabet sets over which cor- 
responding variables range. Also, upper-case boldface letters 
(e.g., X) denote random vectors and lower-case boldface let- 
ters (e.g., x) denote realizations of the corresponding random 
vectors. 

Figure [2] shows the model under consideration. The model 
differs from Simmons's model only in that the transmission 
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Fig. 2. The authentication channel. 



channel is noisy. More specifically, we consider the DMC and 
assume that when the transmitter sends x, the receiver receives 
y with probability 

n 

P? lx (y\*) = l[P(y\x) 
and the opponent receives z with probability 

71 

P^ x (*\K) = X[P(z\x). 

3 = 1 

Here P(y\x) and P{z\x) denote the channel transition prob- 
abilities, while x, y and z range through finite sets X, y and 
Z, respectively. In order to derive more general bounds, we 
assume that the channel between the opponent and receiver is 
noiseless, and that the opponent can send anything over this 
channel. Note that this assumption does not incur any loss of 
generality, and actually gives the opponent advantages, since 
any noisy channel can be simulated by this noiseless channel 
by simply randomizing the transmitted signal. 

To identify the transmitter, we assume that the source and 
the destination have a common secret key K ranging from a 
set AC having \JC\ possible values. To transmit the message M, 
the source uses a stochastic encoding function / to convert the 
message and key into a length n vector X, i.e., X = f(K, M). 
Upon receiving Y, which may come from either the source 
or the opponent, the destination uses a decoding function g to 
judge whether the message is authentic or not. If the signal is 
deemed authentic, then the destination recovers the message 
M = g(Y,K); otherwise the destination sets <f> = g(Y,K). 
We require the condition that, if the signal is authentic, the 
decoding error probability at the destination must approach 
zero as the length of the code increases, i.e., for any e > 0, 
there is a positive integer no, such that when n > no, we have 

P e = Pr{#(Y, K) ^ M\Y comes from X} < e. 

The error probability P e consists of two parts: Pi and P^, 
where P\ is the probability of a miss, which is the probability 
that the receiver wrongly rejects an authentic message, and P2 
is the probability that the decoder correctly accepts the signal 
as being authentic but incorrectly decodes it. 

The opponent is assumed to be aware of the system design, 
except for the particular realizations k and m of the key K 
and message M. We consider both of the two forms of attack 
described above. That is, we consider the impersonation attack, 



in which the opponent sends codeword X to the receiver before 
the transmitter sends anything. Such an attack is successful if 
X is accepted as authentic by the receiver, and we denote 
this probability of success as Pj as noted above. We also 
consider the substitution attack, in which the opponent blocks 
the transmission of the main channel while receiving Z. After 
that, the opponent modifies the signal and transmits it to the 
receiver. This attack is considered to be successful if the 
modified signal is accepted as authentic by the receiver and is 
decoded into to that is not equal to the original message m. 
Again, the success probability of this attack is denoted by Ps. 

III. Authentication of A Single Message 

A. The Wiretap Channel 

We begin by reviewing some results related to the wiretap 
channel introduced in [2]. The wiretap channel is defined by 
two DMCs X -> (y,Z), where X is the input alphabet 
from the transmitter, y is the output alphabet at the legitimate 
receiver and Z is the output alphabet at the wiretapper. In 
the wiretap channel, the wiretapper is assumed to be passive, 
and the goal is to transmit information to the destination 
while preventing information leakage to the wiretapper. More 
specifically, to send a message M e M, the transmitter sends 
X = f(M), where / is a stochastic encoder. After receiving 
Y, the destination obtains an estimate M = g(Y). A perfectly 
secure rate R s is said to be achievable if there exist / and g, 
such that for reach e > 0, there is a positive integer no, such 
that Vn > no 



\M\> 2 nRs 
Pr{M 5* M } < e, and 

-I(M;Z) < e. 



(1) 

(2) 

(3) 



The perfect secrecy capacity C s is defined to be the supre- 
mum of the set of R s values that satisfy the conditions ([TJ 
- ©. It is proved in [3] that the perfect secrecy capacity is 
given by 



max \I(U: Y) 



I(U;Z)}, 



where U is an auxiliary random variable satisfying the Markov 
chain relationship U — > X — > YZ. 

The source-wiretapper channel is said to be less noisy than 
the main channel, if for all possible U that satisfy the above 
Markov chain relationship, one has I(U;Z) > I(U;Y). We 
can see that the perfect secrecy capacity is nonzero unless the 
wiretapper channel is less noisy than the main channel. 

B. Authentication Scheme 

We use the wiretap channel to perform authentication. More 
specifically, if the wiretapper channel is not less noisy than the 
main channel, there exists an input distribution Px such that 
I(X; Y) — I(X; Z) > 0. For a given key size |/C|, there exists 
a positive integer no, such that Vn > no, 

exp{n(7(Jf ; Y) - I(X; Z))} > |/C|. 

In our transmission scheme, we separate the transmission 
of information and key. The source first sends the message M 



using a code for the wiretap channel, and then sends the key 
K using the same code book. After receiving these signals, 
the destination obtains an estimate M of the message and a 
separate estimate K of the key. If K = K, the receiver accepts 
the message to be authentic; otherwise it rejects the message. 

For an impersonation attack, the optimal strategy for the 
opponent is to choose the key that has the largest probability 
of being accepted by the receiver, i.e., 



Pi = max I p ( k h( k > k ' ) 



where j{k, k ) is an indicator function that equals 1 if k 
is accepted as authentic, and equals in other cases. In our 
scheme, j(k, k ) = 1 if k — k; otherwise j{k, k ) = 0. 

For a substitution attack, the optimal strategy for the oppo- 
nent is to choose m and k such that the probability of the 
message being accepted by the receiver and being decoded 
into rn 7^ m, is maximized, i.e., 



P s = ^P(z ljZ2 ) 



max <y^P(m,k\zi,Z2)j(m,k,m,k) 
2'eM,k'eic , 

zi,z 2 

max < P(m\zi)P(k\z2)"f(m, m )j(k, k ) 



m eM.k eJC 



m,k 



where zi is the signal received for the message part and z 2 is 
the signal received for the key part. Here 7(771, k, m ,k ) = 1 
if to 7^ m and k — k, and equals otherwise. The second 
equality in the above expression is due to the fact that M 
and K are independent, and thus that Zi and Z 2 are also 
independent. 

To simplify the analysis, we first upper-bound Ps as follows 

P s = £ P(zi)P(z 2 ) 

zi,z 2 

max < P(7n|zi)P(fc|z 2 )7(7n, to )j(k, k ) 
m'eM,k'&K , 

I ra.k 

< E P ( z i) F ( z 2) max {P(TO| Zl )P(fc|z 2 )} 

zi,z 2 

zi \ z 2 / 

= V P(z 2 )max{P(fc|z 2 )}. 



(4) 



In this expression, inequality (a) follows by assuming that 
7(m, to ) = 1 and 7(fc, , k ) = 1 for m = arg max P(to|zi) 

and k = argmaxP(fc|z 2 ). If this is not the case, the 

k£K 

summation will only be smaller, since -f(x,y) is the indicator 



function. Inequality (b) follows from the fact that P(m\zi) < 
1. 

In the sequel, we will use this upper-bound, and hence we 
can ignore the message transmission part zj. Consequently, 
we write Z2 as z for the sake of simplicity of notation. 

After receiving Z, the opponent gains an amount I(K; Z) 
of information about the key, and thus can use this information 
to choose k that maximizes P(fc|z2). From (01, we have that 

I(K;Z)<ne. (5) 

The inequality in <(5j is not enough to analyze dU for the 
following two reasons. First, though e is small, ne can go to 
infinity as n grows, and hence the opponent may eventually 
gain a sufficient amount of information about the key. This 
point has been pointed out in [8]— [10]. The second reason is 
that there is a maximization in the summand in ®, which 
means that we need to consider the worst case scenario, 
whereas I(K; Z) is an average quantity. Actually, this fact is 
exploited in [4], [5] to derive the lower bounds by replacing 
this maximization with an averaging, which readily gives us 
a lower bound and is more amenable to analysis. 

In this paper, we borrow techniques from [10], [11] to 
analyze this term. 

C. Bounds 

We begin with some definitions. Let C be a codebook for 
the wiretap channel, and let P(x, z) be the joint distribution 
on C x Z n . We denote by Q(z) the marginal distribution of z 
when the input distribution is limited to C, and by P(x|z) = 
P(x, z)/Q(z) the conditional distribution of x given z. 

Let {Ci,-- - ,Cjv} be a partition of C, and denote this 
partition as a mapping, i.e., / : C — > {C\,--- ,Cn}- Also 
denote by Qj the conditional distribution of z when the input 
distribution is uniform on Cj, i.e., 

g i (z)= Y, Hx,*)/P(Cj). 

N 

Define d av (f) = £ P(Cj)d(Qj,Q), with 
3=1 

d(Qj,Q) = Y \Qi( z )~Q( z ) ■ 

Here d(Qj, Q) is the L\ distance between the two distributions 
Qj and Q. When d(Qj,Q) is zero, the opponent cannot 
distinguish between the uniform input distributions on Cj and 
C by observing only the channel output. 

Intuitively, if there exists a set C and a corresponding 
partition / such that d av (f) is arbitrarily small, the receiver 
gains no information about the subset Cj from which the 
transmitted codeword x comes, given the channel output z. 

We can rewrite d av (f) as follows 

N 



with 

N 

d(z) = Y\P(Cj\z)-P(C j ) ■ 

j=i 

Here d(z) is the L\ distance between uniform distribution 
and conditional distribution of the key after observing z at the 
opponent. 

We need the following lemma from [10]. 

Lemma 1 ( [10]): Consider a wiretap channel X — > 
(y, Z), and choose 5 > 0. Suppose Tp C X n is a type class 
with P{x) bounded away from 0, and such that I(X; Y) > 
I(X;Z) + 25. Then, there exist a codebook C with size 
\C\ = exp{n(I(X;Y) — 5)}, drawn from Tp, and equal-size 
disjoint subsets C\, ■ • ■ ,Cn of C with 

N < exp{n(I{X; Y) - I{X; Z) - 25)}, 

N 

such that C = (J Ci is the codeword with exponentially small 

average probability of error for the main channel X — > y. 
Moreover, the partition function / : C — > {1, • • • , N} of 
C with = Ci,i = 1, ■ ■ ■ , N has exponentially small 

dav(f) for the distribution Pc defined on C x Z n by 

P c (x,z) = ^P(z|x),xeC,zeZ". 

Proof: Please see [10]. ■ 

Our main result is the following theorem. 

Theorem 1: If the source-wiretapper channel is not less 
noisy than the main channel, then P/ = P$ = 2~ H ( K \ and 
hence, P D = 2- H ( K \ 

Proof: (Sketch) For the lower-bound, the opponent can 
guess the value of the key. If the guess is correct, the opponent 
can invoke any attack and the attack will be successful. The 
probability that the opponent guesses the value of key correctly 
is 2~ H ^ K \ This provides a lower bound. We outline the 
proof of a tight upper-bound in the following. If the source- 
wiretapper channel is not less noisy than the main channel, 
there exists an input distribution such that the secrecy rate 
is larger than zero. We generate a codebook for the wiretap 
channel according to this input distribution and transmit the 
message and key separately using this codebook. To bound the 
success probability of the substitution attack, we first bound 
the 'max' sign in with d(z). We then link d av (f) to the 
mutual information leaked to the opponent. Using the fact 
that the mutual information leakage in the wiretap channel 
can be arbitrarily small if the secrecy capacity is nonzero, 
we obtain an upper-bound for the success probability of the 
substitution attack that is arbitrarily close to 2~ H ( K \ The 
optimal strategy for the impersonation attack of the opponent 
is to guess the value of the key, hence the success probability 
of the impersonation attack is bounded by 2~ H ( K \ ■ 

IV. Authentication of Multiple Messages 

In this section, we consider the situation in which the same 
key K is used to authenticate a sequence of J messages. We 
use the same scheme as for the single message case. That is, 
we send the message and the key separately for each packet 
using a code for the wiretap channel. Let Pj i be the success 



probability of the impersonation attack after the opponent has 
observed i—1 transmissions, i.e., the opponent sends codeword 
Xj to cheat the destination after observing Zi, • ■ ■ , Zj_i. This 
attack is successful if Xj is accepted as authentic by the 
destination. The optimal attack strategy of the opponent is to 
choose to send the key k with the largest success probability; 
that is 

Pit = p{*i,-~ ,*t-i) 

,z«-i 

max < V" P(fc|zi, • • • , z i _ 1 )7(fc, & ) > 
fc e?c J 

< ^ P(zi,--- ,Zj^i) 

max{P(fe|zi, • • ■ ,z,_i)}, (6) 

where y(k, k ) is the indicator function defined above. 

The opponent can also choose to invoke a substitution attack 
after receiving the ith transmission, i.e., it changes the content 
of the ith package and sends it to the destination. The attack 
is successful if the modified message is accepted as authentic 
and the destination decodes it into an incorrect source state. 
On denoting the success probability of this attack to be Ps,i, 
we have 

Ps,i = ^2 P(zi )0 ,Zi, • ■ • ,Zj) 

■<,DjSSl)— i z i 

max < y P{m, fc|zj q, zi, • • • , Zi)j(m, k,m , k ) > , 

where z^q is the message part of the ith packet. Following the 
same steps as those in ©, we can bound Pgj as 

Ps,*< P ( z i'--' ,z 4 )niax{P(fc|z 1 ,--- , Zi )}. (7) 

Zi,",Z, 

Note that © and dT) have similar forms. Hence, we can derive 
tight bounds for only one of these attacks. The result for the 
other attack follows similarly. 

Obviously, the opponent will choose the attack that maxi- 
mizes its cheating probability Pq. Bounds for Pj,i and P$,i 
under the noiseless transmission model were derived in [5], 
which shows that 

P D = max{P /4 , • • • , P hJ , P SA , ■ ■ ■ , P s ,j} > 2- H ^/(J+V. 

This implies that after several rounds of authentication, the 
opponent obtains almost all the information about the key and 
hence can choose an attack having a high success probability. 

On the other hand, in the noisy channel model, we show 
that one can limit the information leaked to the opponent, and 
thus the success probability of the opponent will not increase 
even by observing more packets. 

Theorem 2: For any finite J, Pj^ = Ps,i = 2~ H ( K ',i £ 
{1, ■ • ■ , J}. Hence, P D = 2- H(K \ ' 

Proof: (Sketch) For the lower-bound, the opponent can 
guess the value of the key. If the guess is correct, the opponent 
can invoke any attack and the attack will be successful. The 



probability that the opponent guesses the value of key correctly 
is 2~ H ( K \ This provides a lower bound. For a tight upper- 
bound, we first upper bound the key information leaked to 
the opponent. We then follow the similar steps as those of 
the single message authentication case and obtain an upper- 
bound of the success probability of the substitution attack that 
is arbitrarily close to 2~ H ( K '. Similarly, we obtain an upper- 
bound for the impersonation attack that is arbitrarily close to 

V. Conclusions 

In this paper, we have studied the problem of message 
authentication in the presence of channel noise. We have 
derived information theoretic lower and upper bounds for the 
success probability of an opponent's impersonation attack and 
substitution attack in single and multiple message authentica- 
tion scenarios. We have further shown that the lower and upper 
bound match, and thus have completely characterized these 
probabilities. We have further shown that, compared with the 
classical authentication model in which channel is assumed 
to be noiseless, the opponent's success probability is largely 
reduced. We thus have established the utility of channel noise 
in message authentication applications. 

Exploiting other characteristics of channels, such as channel 
fading, to facilitate message authentication is an interesting 
avenue for further research. Also of interest is the develop- 
ment of authentication theory for the scenario in which the 
source and destination possess correlated, but not identical, 
sequences, which has obvious practical implications. 
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